Recon 2015 Schedule

Dynamic Binary Instrumentation has become a common and convenient technique to inspect and alter the behaviour of binary files. However, convenience comes at the cost of transparency: As shown by [0, 1] it is trivial for a malicious binary to detect the presence of the instrumentation framework and to consequently hide its actual behaviour. The approach to Dynamic Binary Instrumentation discussed in this talk leverages Virtual Machine Introspection (VMI) techniques to inspect the running binary from the virtual machine host aiming to provide a transparent means of instrumenting an executable within its native environment. A working prototype implemented on top of the Linux Kernel Virtual Machine (KVM) is used to illustrate the practical relevance of the presented concept on selected reverse engineering challenges of past capture-the-flag contests as well as several real world software protection mechanisms.